CN105874462B - Using the notice of license - Google Patents
Using the notice of license Download PDFInfo
- Publication number
- CN105874462B CN105874462B CN201480071883.3A CN201480071883A CN105874462B CN 105874462 B CN105874462 B CN 105874462B CN 201480071883 A CN201480071883 A CN 201480071883A CN 105874462 B CN105874462 B CN 105874462B
- Authority
- CN
- China
- Prior art keywords
- api
- api calls
- application
- instruction
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6281—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2101—Auditing as a secondary aspect
Abstract
It provides for authorizing using license and providing method, system and the computer-readable medium of API activity notification.Exemplary method may include receiving the first API Calls made by the application installed.This method may further comprise determining received first API Calls level of sensitivity.This method can further comprise when received first API Calls identified level of sensitivity it is associated with limited API category when, determine whether the author of installed application is authorized author, and when the author for determining installed application is authorized author, allow received first API Calls access its associated AP I.Exemplary system may include instruction, described instruction by one or more processors when being executed, so that the API Calls that one or more processors detection is made by application, the level of sensitivity of API Calls is determined based on associated data, and the instruction of API Calls is provided based on identified level of sensitivity, the API Calls are for accessing data associated with equipment is calculated.
Description
Background technique
Security model for application, which is usually directed to, shows some species of dialogue to user when installing application.User can
To be provided the chance looked back various access permissions and receive them.Such user receive after, installed application one
As there is access to the set of Application Programming Interface (API) on the basis of forward.The application installed has the visit to it
The certain API asked may be with the sensitive data of user or information-related.
Summary of the invention
The present disclosure relates generally to application license and data safeties, and relate more specifically to and authorize using license and mention
For the related technology of API activity notification.
Disclosed subject technology is related to computer implemented method, and the method is permitted for authorizing to apply during installation
Can, the authorization of the author based on application allows API Calls, and provides the movable notice of API.It should be appreciated that subject technology
Various embodiments may include following characteristics any one, all or do not include.Exemplary method may include that processing installation is answered
Request, it is required that the application can access one or more application programming interface (API).This method may further comprise determining
The level of sensitivity for each API in API that one or more requires.In addition, this method may include when one or more of
It is required that API at least one API identified level of sensitivity it is associated with limited API category when, it is desirable that using peace
The code of full mechanism delivery applications.
The method that another exemplary computer is realized may include receiving the first application programming made by the application installed
Interface (API) calling.This method may further comprise determining received first API Calls level of sensitivity.This method can
Further comprise when received first API Calls identified level of sensitivity it is associated with limited API category when, determine
Whether the author for the application installed is authorized author.In addition, this method may include when the work for determining installed application
When person is authorized author, allow received first API Calls access its associated AP I.
The method that another exemplary computer is realized may include the request of processing installation application, it is required that being made by the application
One or more application programming interface (API) calling.This method may further comprise determining the creation entity of the application.The party
Method may further comprise determining whether the creation entity is authenticated by one or more trusted entities.In addition, this method may include working as
When the creation entity is authenticated by least one trusted entities in one or more trusted entities, allow the installation of the application.
The method that another exemplary computer is realized may include detecting the API Calls made by application, which is used for
Access data associated with equipment is calculated.This method can further comprise that the spirit of API Calls is determined based on associated data
Sensitivity is horizontal.In addition, this method may include providing the instruction of API Calls based on identified level of sensitivity.
Authorization of the disclosed theme further to the author during installation for authorizing application license, based on application
Allow API Calls and the system of the movable notice of API is provided.Example system may include one and multiple processors and packet
Include the memory of instruction, described instruction when executed by one or more processors so that one or more processors are grasped
Make.The one or more processors of system can be configured to the request of processing installation application, it is required that the application can access one
Or multiple Application Programming Interface (API).The one or more processors of system can be further configured to determine one or more
It is required that API in each API level of sensitivity.In addition, the one or more processors of system can be configured to when described
When the identified level of sensitivity at least one API in API that one or more requires is associated with limited API category,
It is required that using the code of security mechanism delivery applications.
Another example system may include one or more processors, is configured as receiving and be made by the application installed
First Application Programming Interface (API) calling.The one or more processors of system can be further configured to determine that institute is received
The level of sensitivity of first API Calls.The one or more processors of system can be further configured to work as institute received first
When the identified level of sensitivity of API Calls is associated with limited API category, determine installed application author whether be
Authorized author.Determine that the author of installed application is in addition, the one or more processors of system can be configured to work as
When authorized author, allow received first API Calls access its associated AP I.
Another example system may include one or more processors, be configured as the request of processing installation application,
It is required that one or more application programming interface (API) calling that the application is made.Can by the one or more processors of system into
One step is configured to determine the creation entity of the application.The one or more processors of system can be further configured to determine the wound
Make whether entity is authenticated by one or more trusted entities.It is somebody's turn to do in addition, the one or more processors of system can be configured to work as
When creating at least one trusted entities certification of the entity by one or more trusted entities, allow the installation of the application.
Another example system may include one or more processors, be configured as detecting the API Calls made by application,
The API Calls are for accessing data associated with equipment is calculated.The one or more processors of system can further be configured
For the level of sensitivity for determining API Calls based on associated data.In addition, the one or more processors of system can be configured
To provide the instruction of API Calls based on identified level of sensitivity.
Disclosed theme further relates to example machine readable medium, including storage instruction therein, executes by system
When, instruction is so that system is operated, and for being authorized during installation using license, the authorization of the author based on application allows
API Calls, and the movable notice of API is provided.Example machine readable medium may include the request for handling installation application
Instruction, it is required that the application can access one or more application programming interface (API).Machine readable media can further comprise using
In the instruction of the level of sensitivity for each API for determining one or more desired API.In addition, machine readable media may include
When the identified level of sensitivity of at least one API of the API of one or more of requirements is associated with limited API category
When, it is desirable that the instruction of the code of the application is delivered using security mechanism.
Another example machine readable medium may include for receiving the first application programming made by the application installed
The instruction of interface (API) calling.Machine readable media may include for determine received first API Calls level of sensitivity
Instruction.Machine readable media may include when institute's identified level of sensitivity of received first API Calls and limited API class
Not Xiang Guanlian when, for determine installed application author whether be authorized author instruction.In addition, machine readable Jie
Matter may include allowing received first API Calls of institute to access when the author for determining installed application is authorized author
The instruction of its associated AP I.
Another example machine readable medium may include the instruction for handling the request of installation application, it is required that the application
One or more application programming interface (API) calling made.Machine readable media may include for determining that the creation of application is real
The instruction of body.Machine readable media may include the finger whether authenticated by one or more trusted entities for determining the creation entity
It enables.In addition, machine readable media may include for when the creation entity by least one of one or more trusted entities by
When believing entity authentication, allow the instruction of the installation of the application.
Another example machine readable medium may include the instruction for detecting the API Calls made by application, which exhales
It cries for accessing data associated with equipment is calculated.Machine readable media may include for being determined based on associated data
The instruction of the level of sensitivity of API Calls.In addition, machine readable media may include for being mentioned based on identified level of sensitivity
For the instruction of the instruction of API Calls.
It should be appreciated that (wherein showing and describing the various of subject technology by way of diagram according to described in detail below
Configuration), the other configurations of subject technology will become obvious.It should be appreciated that subject technology can using other configurations and
Difference configuration, and its several details can be modified in various other aspects, all without departing from the range of subject technology.Cause
This, attached drawing and detailed description should be considered as illustrative and not restrictive in itself.
Detailed description of the invention
Certain features of subject technology are provided in appended claims.But for illustrative purposes, it provides in the accompanying drawings
Several embodiments of subject technology.
Fig. 1, which is illustrated, provides exemplary client-server network ring of application license according to the various aspects of subject technology
Border.
Fig. 2 illustrates the various aspects according to subject technology, for authorizing using the writer identity trust techniques permitted
Example.
Fig. 3 A and Fig. 3 B illustrate the example that notification technique is used according to the API of the various aspects of subject technology.
Fig. 4 illustrates the various aspects according to subject technology, the process of the application for installation requirement one or more API
Example.
Fig. 5 illustrates the various aspects according to subject technology, for limiting the API Calls made by the application installed
The example of process.
Fig. 6 illustrates the various aspects according to subject technology, with asking for the application of installation requirement one or more API Calls
Seek the example of related process.
Fig. 7 conceptually illustrates the electronic system that some aspects of subject technology are realized using it.
Specific embodiment
Detailed description given below is intended as the description of the various configurations of subject technology, it is not intended that expression can be real
Unique configuration of existing subject technology.Attached drawing is incorporated in herein and constitutes a part of detailed description.Detailed description includes using
In offer to the detail of the thorough understanding of subject technology.It is clear that and it is readily apparent that subject technology is not limited to this
Detail given in the test can be practiced without these specific details.In some instances, according to
The form of block diagram shows structure and component, in order to avoid obscure the concept of subject technology.
According to the various aspects of subject technology, disclosure description is movable for managing application license and instruction API Calls
Technology.For example, the application license that they agree to when many users are for downloading and installing application has relatively low cognition.Together
Sample, user is for these application licenses and since any problem caused by installed almost is ignored, for example, especially
When being widely applied to device downloads.
Therefore, in some examples, it is described herein during installation and is used to authorize and manage during the use of application
For the technology of the application license of application.These technologies can be utilized separately for improving the safety of user information and for visiting
The cognition asking what information and being accessed by whom.However, it is possible to the technology is applied in combination, to provide using License Management scheme and
Message reference visibility.
In some instances, mobile device can receive installation requirement access one or more API application request (or
Person sends the request of downloading).The level of sensitivity that can be determined and apply associated API, and work as the sensitivity of API Calls
When level is confirmed as having sensitive or limited property, the security mechanism of identification author is can be used to require in mobile device
The code of the application of delivering.
For example, the delivering using security socket layer (SSL) agreement and SSL certificate can be required.It can be by ssl protocol technology
As enable two systems via the security mechanism of encrypted data communications.Reception system has certification received data true
In fact from the ability for claiming that its source of delivering is transmitted.
In other examples, such as, when in advance will be using installing on the mobile apparatus, mobile device can be received from application
API Calls.Then, mobile device can determine that the received API Calls of institute are that sensitive API Calls are still limited API Calls.If
Determine that the received API Calls of institute are sensitive API Calls or limited API Calls, then only when the author for the application installed is through awarding
The author of power just can permit the received API Calls of institute.
By determine application installation during certificate associated with the delivering of code whether be trusted entities it is all or by
Trusted entities are confirmed can determine whether the author of installed application is authorized author.According to various examples and reality
Mode is applied, trusted entities can be corporate entity or personal user.
For example, can further be used when the request of the application of equipment processing installation requirement one or more API Calls
Authorize the trusted entities approach using license.For example, for example, the user of equipment may want to starting from remote server to application
Downloading, but not necessarily know that the author of application is the authority of who or author.Hence, it can be determined that the creation of application is real
Body, and if having authenticated creation entity by one or more trusted entities, it is one or more that equipment can permit requirement
The downloading and installation of the application of API Calls.
In this regard, the approval to API license is not made on the basis of applying one by one, but according to subject technology
The user of equipment can indicate the trust to trusted entities.Therefore, each entity in multiple trusted entities may be used to indicate by
License provides a user multiple authors of application.
In other examples, it can provide about called API Calls, to the user of equipment for offer instruction and in detail
The technology carefully notified.For example, equipment can provide a user API Calls or other information access request in the real-time finger of generation
Show.In this example, when applications trigger user is undesirable sensitive or limited API Calls, the user of equipment can run application
(such as, car race game).For example, car race game application can call the access with the financial data of the user stored in equipment
Associated API Calls.
In response to sensitive or limited API Calls, equipment can provide the just incipient instruction of sensitive or limited API Calls.
For example, equipment can be activated positioned at the API Access indicator lamp in somewhere on telephone casing or on the display screen of equipment
API Access indicator icon.For example, indicator lamp and/or indicator icon can be based on sensitivity associated with API Calls
Level illuminates, flashes, flashes or beats different colors (for example, red, yellow or green) with the different duration.
In another example, API Access log can be provided as notice log visible on the display screen of equipment.?
In some embodiments, API Access log can be dedicated to only provide API Access notice.For example, API Access log can wrap
The entry of the related information of the API Access event having already appeared in offer and equipment is provided, such as Apply Names, level of sensitivity,
Details, time etc..In some embodiments, it can be opened from the API Access indicator icon on the display screen for being located at equipment
Dynamic API Access log.
For this purpose, can be visited together with notice details CommAPI related with the level of sensitivity of API Calls detected
The real-time instruction asked enables easily that sensitive or limited API and equipment is current according to the user of the equipment of subject technology
The application of execution is associated.
It is described in further detail below according to the living using permitting and providing API for authorizing of subject technology various aspects
The system and technology of dynamic notice.
Fig. 1 illustrates the example visitor that can be supported using permitting and can be used for realizing the various technologies for being granted or denied license
Family end-server network environment.Network environment 100 may include such as communicably being connected to server 110 by network 108
Multiple electronic equipments 102,103,104,106, one or more servers 110 and network 108.In other examples, electric
Sub- equipment 102,103,104,106 is such as communicably connected with each other by network 108, but right and wrong are communicably connected to one
A or multiple servers 110.
In the example of fig. 1, one or more servers 110 can with trustship one or more system or service, including but
It is not limited to the system for being used to download and install based on application licensed technology.In some examples, in one or more servers 110
Each server can be and single calculate equipment, such as computer server.In other examples, one or more servers
110, which can indicate to work together, calculates equipment (for example, the cloud of computer with more than one of the movement of execute server computer
Or distributed system).In another example, each server in one or more servers 110 can by with various numbers
It is coupled according to library, storage service or other calculating equipment.Each server in one or more servers 110 with coupled
Database, storage service or other calculate equipment can be aggregated, can also be bandwidth or put differently.
For example, each server in one or more servers 110 may include one or more processing equipments 112 and
One or more data storages 114.One or more processing equipments 112 can execute institute in one or more data storages 114
The instruction of storage.Computer instruction can be stored in non-transitory computer-readable medium by one or more data storages 114.
Network 108 can be public communication network, dedicated communications network or their combination.In some examples, net
Network 108 may include personal area network (PAN), local area network (LAN), school domain net (CAN), Metropolitan Area Network (MAN) (MAN), wide area network (WAN), broadband networks
Any one or more of network (BBN), internet etc..Further, network 108 may include but be not limited to following network topology
Any one or more: including bus network, star network, loop network, mesh network, star-bus network, it is tree-like or
Hierarchical network etc..
Network 108 can be public communication network (including but not limited to internet, cellular data network, cable data network
Network or dialing modem by Public Switched Telephone Network) or dedicated communications network (such as, for example, dedicated local-area
Net (" LAN ") or leased line network).Network 108 any one of may also include but be not limited to following network topology or more
It is a: including bus network, star network, loop network, mesh network, star-bus network, tree-like or hierarchical network etc..
In some embodiments, electronic equipment 102,103,104 and 106 can be on such as laptop computer or table
Type computer, smart phone, personal digital assistant (" PDA "), portable media player, tablet computer, TV, Huo Zheyou
One or more processors are coupled or the calculating equipment of other displays being embedded or other calculating appropriate are set
It is standby.In the example of fig. 1, electronic equipment 102 is portrayed as desktop PC, electronic equipment 103,104 is portrayed as intelligence
Phone, and electronic equipment 106 is portrayed as tablet device.
Using various File Sharing Techniques and Data Transport Protocol (such as, but not limited to hypertext transfer protocol (HTTP),
Extend message Presence Protoco (XMPP), File Transfer Protocol (FTP), safety shield (SSH), Server Message Block (SMB) etc.) it can
To promote the communication between electronic equipment 102,103,104,106 and server 110.In other examples, not with server
In the case where 110 communications, electronic equipment 102,103,104,106 can be in communication with each other.
In the example of fig. 1, each electronic equipment 102,103,104,106 can in response to installation application request,
From another downloading application in server 110 or electronic equipment 102,103,104,106.Can from network 108 (or with
Its connect) another equipment receive to installation application request, can also by will install application electronic equipment 102,
103,104,106 are started.
In operation, server 110 can provide and handle the operation for trustship website, and website can will apply and be delivered to
Electronic equipment 102,103,104,106.It is applied to be downloaded from the website of trustship, electronic equipment 102,103,104,106 can be with
Respectively establish the communication with server 110.
It is mounted on electronic equipment 104 for example it is assumed that will apply, and application request carries out sensitive or limited API Calls
(for example, position that application request obtains user), then the licensing system of electronic equipment 104 requires to determine whether using acquisition
The mode of the position of user.In order to determine whether sensitive as application access or limited information, licensing system will be sensitive
The permission (or refusal) of API Calls is established on the basis of writer identity ownership, for example, the author of application or creation entity.
According to various aspects, the author of application or creation entity can be the individual or reality that development and application or distribution are applied
Body.In some instances, author or creation entity can be both developer and distribution person of application.In other instances, it answers
Author or creation entity can be to provide the distribution of application or promote the entity of the distribution of application.
In some examples, writer identity ownership is whether the author based on application has SSL certificate, the SSL certificate
The binary code for having been used for apply is delivered to electronic equipment 104.It is, for example, possible to use ssl protocol technologies to realize
Two systems are via encrypted data communications.Reception system (such as licensing system of electronic equipment 104) has certification institute received
Data are really from the ability for claiming that its source of delivering is transmitted.
For example, can use similar skill when the equipment of user attempts from remote server retrieval network Email
Art.If the equipment of user is connected to the network of non-internet connection (for example, the wireless network in the hotel of limitation internet access
Network), the web browser of the equipment of user can provide instruction, and the website for indicating user's trial connection is unlike holding
Recognize the website (for example, the business of user is intercepted by hotel service device, because user not yet pays accessing wirelessly) of communication.
According in some terms, can be by such security mechanism and similar variation and embodiment (for example, verifying SSL
Certificate) for confirming through application code performed by electronic equipment 104 from the server for being identified as application code source.
If the code delivered is not by certificate correct labeling and if certificate itself is not trusted (for example, there are no quilts for certificate
Some other third parties that user is trusted are confirmed), sensitive or limited API Calls are carried out then would not allow for applying.With regard to this
For, if a user indicate that he or she trusted from source (for example, web services supplier or ISP) institute received source generation
The licensing system of code, electronic equipment 104 will allow application access sensitive based on the identity of the authorized entity of delivering code
Or limited API Calls.
As a result, electronic equipment 104 1 receives and applies associated code, the licensing system of electronic equipment 104
Need not undergo user-approved he or she trust the additional step of the specific application in the case where allow installed application immediately
Access sensitive or limited API.Therefore, the user of electronic equipment 104 can trust the source of application and need not trust each independence
Using.
It further describes below with reference to Fig. 2 to Fig. 6 and with continued reference to Fig. 1 for the various technologies using license to be laminated.
Fig. 2 illustrates the example of the trust techniques for authorizing license.It can be used for using 262a-c, 264a-c and 266
Installation in mobile device 204.In some instances, using each application in 262a-c, 264a-c and 266 by different wounds
Make entity creation.Mobile device 204 is operable as trusting different entities (for example, trusted entities), therefore can be by trusted entities
The application of creation entity creation trust or certification is directly downloaded to mobile device 204, without any user interface matter
The additional license request of inquiry or server (for example, server 110).
For example, mobile device 204 may include the accredited web services supplier 252 as trusted entities, and for promoting
The accredited connection 212 of access and/or downloading application.But mobile device 204 not yet includes the service offer as trusted entities
Person 254, and have not accredited connection 214 about ISP 254.
It should be appreciated that for example, ISP 254 can be the accredited supplier for other equipment, and if there is
When mobile device 204 select to include ISP 254 as trusted entities, then ISP 254 can be movement
The trusted entities of equipment 204.
In addition, can be by creation using 262a-c, 264a-c and 266 each creation entity selection by mobile device 204
And it is appointed as trusted entities.But in the following example, in itself, 262a- is applied in the not yet specified creation of mobile device
C, any creation entity of 264a-c and 266.But accredited web services supplier 252 clearly trusts and authenticated
Each entity in the creation entity of application 262a-c.For example, mobile device 204 can handle installation requirement access one or
The request using 262a of multiple API Calls.Mobile device 204 determines the creation entity for applying 262a, and determines and apply 262a
Creation entity authenticated by accredited web services supplier 252.Therefore, mobile device 204 allows to download and installs application, no
Any license dialogue for needing to be directed to the user of mobile device 204, regardless of whether being wanted to sensitive or limited API using 262a
Seek API Calls.
In addition, mobile device 204, which can be similarly processed to install the request using 262b and install automatically, applies 262b, because
Equally trusted and authenticated by accredited web services supplier 252 for application 262b.But if accredited web services supplier
The certification of 252 its trusts of revocation and 262b, and if installed via mobile device 204 using 262b, it will be same
Any API Calls by making using 262b are cancelled to sample by mobile device 204.For example, accredited web services supplier 252
There can be the equipment dispatch order of accredited connection 212 to it and/or cancel the SSL issued to the creation entity of application 262b
Certificate.
In the figure 2 example, ISP 254 clearly trusts and the creation entity of authentication application 264a-c
In each entity.But it about downloading and installing automatically application in mobile device 204, is created by 254 Duis of ISP
Any trust and the certification for making entity are not important for mobile device 204.But 264a-c is applied in some cases
Creation entity trust and certification may have some associations, as described below.
For example, mobile device 204 can handle the asking using 264c that installation requirement accesses one or more API Calls
It asks.Mobile device 204 determines the creation entity for applying 264c, and determines and be not moved equipment 204 using the creation entity of 264c
Any trusted entities trust or certification.Therefore, mobile at least at the beginning about the automatic downloading (as mounting technique) of trust
The refusal of equipment 204 requires the installation using 264c of one or more API Calls.
But in some instances, mobile device 204 can receive to installation using 264c (for example, map and driving side
To program) request, identification apply 264c one or more API Calls, and identify authentication application 264c creation entity
Multiple entities.Therefore, equipment 204 can provide dialogue in the user interface, indicate one or more API Calls of application
And ISP 254 related with the location information of mobile device 204 (such as well known ISP) and 15 other
The creation entity of entity (for example, wherein several be considered as high confidence) authentication application 264c.If the user of equipment 204
Agree to allow such license based on information provided in dialogue, so that it may recognizing for confirmation received request is handled, and
And it can will be mounted in mobile device 204 using 264c.
In another example, mobile device 204 can receive to installation using 266 (for example, existing using mobile phone
The flash lamp program of camera flash) request, identification apply 266 one or more API Calls, and identify authentication application
Several entities of 266 creation entity.Therefore, equipment 204 can provide dialogue in the user interface, indicate one of application
Or the browser history data that store in multiple API Calls and the access of Email and mobile device 204 are related and 3
The creation entity of a entity (for example, neither for known to the user of mobile device 204) authentication application 264c.Therefore, equipment
204 user not necessarily agrees to allow such license and refuses received request.
Fig. 3 A is the example using API using the mobile device 304 of notification technique.In some examples, mobile device 304
API Calls or the occurent instruction of other information access request can be provided a user.For example, API Calls can be with movement
API and accessed data in equipment 304 are associated, or with the API in mobile device 304 and are remotely accessed data
It is associated.The user of mobile device 304 can run using 335 (such as playing car race game).It in some instances, can be prior
The access permission to application 335 is authorized, and is recognized in some manner by user.(for example, access is hard during the execution of application
Disk, with the associated code of the subsequent execution retrieved with applied) it can be desirable to certain API Calls.
But when application 335 run in mobile device 304 when, can by using 335 triggering it is undesirable sensitive or by
Limit API Calls.For example, using 335 can call with to the associated API Calls of the access of financial data in mobile device 304.
In response to sensitive or limited API Calls, mobile device 304 can provide the just incipient instruction of sensitive or limited API Calls.
For example, can be provided by the hardwired indicator lamp 322 (such as LED, lamp etc.) in mobile device 304
Call the instruction of API Calls.In this regard, such hardwired indicator embodiment is not applied actually by Malware
Frame or distort the influence of trial.For example, Malware application, which cannot be covered or be covered, indicates sensitive or limited API on display screen
The image of calling.Alternative or additionally, can by the indicator icon 324 on the part of the display screen of mobile device 304 come
The instruction for calling API Calls is provided.It related with two indicator lamp embodiments can will control and module is as independent
Operating system subsystem include in a device, sensitive or limited API notification technique further is frame in Malware application
Trial minimize.
In order to alert user, indicator lamp 322 and/or indicator icon 324 can have mostly clever according to accessed API
It is quick, it illuminates, flash, flash or beats according to different colors and duration.For example, data and code will be applied with for it
Isolation (for example, sandboxed) is locally stored access and can be shown as green indicator using related.But more sensitively
Assessment (such as cookie or other users relevant information between sharing application) can be shown as yellow indicator (for example,
For the browsing history based on user, non-present context orientation display user advertising, certain ad systems may execute such
Task).For High sensitivity or limited access (for example, the information that height is personal, such as, but not limited to contact name of user
List, position, document and Email), indicator lamp 322 and/or indicator icon 324 can be shown as red indicator.
Similarly, for various level of sensitivity associated with the API Calls of calling, by indicator lamp 322 and/or
The duration indicated provided by indicator icon 324 can be different.For example, green indicator can be of short duration flashing or
Bounce, yellow indicator can be slightly long flashing or bounce (for example, 500 milliseconds), and red indicator can be for a long time
It flashes (for example, one second), so that the user of mobile device 304 be promoted to notice when call High sensitivity or limited API
Calling.
It has been adjusted with visual manner to the user of mobile device 304 communication it is understood that other technologies can be used
With sensitive or limited API Calls.In addition, in some embodiments, the instruction for having called up API Calls may include sound (example
Such as, chirp, beeping sound or alarm song) or mobile device 304 vibration.For example, can be utilized according to the sensitivity of API Calls
The duration of different sound and sound.In some instances, the sound for being used to refer to have called up API Calls can be
It cannot distinct sound selected to use in the other systems setting of mobile device 304.
According in some terms, can have to API Access log or similar message reference log offer with API Calls calling
The entry of pass.In some instances, it is visiting can to click indicator icon 324 by the user of mobile device 304 for API Access log
It asks.In this regard, potential threat, investigation and sensitive or limited API Access can be alerted to the user of mobile device 304 in real time
Associated details, and if necessary, take any corrective action.
Fig. 3 B illustrates the example of API Access log 350.API Access log 350 can be (only to be mentioned in mobile device 304
For API Access notify) display screen on visible notice log.For example, API Access log 350 may include instruction and API Access
The notice header column 352 of the related Apply Names of event, level of sensitivity, details, time etc. column.API Access log item
Mesh 355a-g identifies the details of API Access event, and can be sorted in different ways, such as based on appearance
Time.
The user of mobile device 304 can check API Access log 350, such as passing through indicator lamp 322 and/or referring to
When showing that device icon 324 alerts uncommon or undesirable API instruction.But user can he more easily when look back
API Access journal entries 355a-g.It is important to note that, high-level (for example, red indicator) API Access journal entries are different
Surely indicate it is incumbent why not correct API Access.On the contrary, can simply be alerted simultaneously according to the API notification technique of some aspects
Notify user, specific API Calls or event are occurring.For example, user can completely it is expected for and financial application
The API Access journal entries 355d of the related API Calls of associated personal information and for associated with map application
The related API Calls of location information API Access journal entries 355g.
User it can be desirable to some low level of access or middle level of access API Calls, such as API Access journal entries
355b,355e,355f.But the API Calls of other high level of access and middle level of access may cause attention.For example, as above
Described in the example accessed when about object for appreciation car race game, user is likely to apply associated Personal Finance with car race game
The details of information-related API Calls inquiry API Access journal entries 355a.
Alerted in addition, user may be instructed to device lamp 322 and/or indicator icon 324, and in order to with operating system library
Using the details for installing the related API Calls inquiry API Access journal entries 355c of new icon on associated user's main screen.
For example, the installation in order to drive the still not found application of user, certain operating system libraries can install on the main screen of user
New icon.User be not necessarily to be construed as what for downloading the appearance of new opplication icon on the home screen or how to appear in
On main screen or which is applied or such installation activity is responsible in which application.The user of mobile device 304 is accessible
API Access log 350 and the details for looking back API Access journal entries 355c.Then user can make decision, API Calls and
Whether result event is subjected to for a user, perhaps removes the application for carrying out API Calls or the license for removing application,
To call specific API Calls, if possible.
Therefore, it can be accessed together with the sensitivity degree CommAPI of API Access detected and relevant information accesses
Real-time instruction, the user of mobile device 304 is easily set sensitive or limited API Calls with current by movement
Standby 304 applications executed are associated.In addition, in some embodiments, access water associated with sensitive or limited API Calls
Flat or classification is fixed, therefore user cannot modify the level of sensitivity for giving specific API or API Calls.In this regard, example
Such as, Malware application cannot attempt the setting parameter via user configuration source code, by high level access (for example, red refers to
Show device) change into low-level access (for example, green indicator).
It further provides for using notification procedure using the related example A PI of notification technique with above-mentioned API.Example A PI is used
Notification procedure can be used in conjunction with other processes and aspect of the disclosure.Although coming about the example provided in Fig. 1 to Fig. 3 B
Description aspect, but API is without being limited thereto using notification procedure.
For example, can be detected by calculating equipment (for example, electronic equipment 104, mobile device 204 or mobile device 304)
The API Calls made by application.API Calls detected can be related with access data associated with calculating equipment.API is exhaled
The level of sensitivity cried can be determined based on associated data.The level of sensitivity of API Calls can be determined as it is high, in or it is low.
The instruction of API Calls based on identified level of sensitivity can be provided by API using notification procedure.
In some instances, API can activate the hardwired indicator in calculating equipment (for example, referring to using notification procedure
Show device lamp 322) and/or calculate device display screen on indicator icon (for example, indicator icon 324), to provide API Calls
Instruction.In some instances, it can star indicator icon, visited to such as provide API on the display screen for calculating equipment
Ask that log, the API Access log include and the associated one or more API Access of one or more corresponding API Calls
Entry.
Fig. 4 illustrates the process of the related instantiation procedure of installation of the application with installation comprising one or more API Calls
Figure.It should be appreciated that the operation in process 400 can be used in conjunction with other aspects and process of the disclosure.Although extremely about Fig. 1
The example provided in Fig. 3 B describes the aspect of process 400, but process 400 is without being limited thereto.
In block 402, can handle request (for example, by electronic equipment 104,110 trustship of server website or
With electronic equipment 104 have connection other electronic equipments 102,103,105), with answering for installation requirement access one or more API
With.It should be appreciated that using may include any executable program code, such as, but not limited to various general programming languages or explanation
The code that property programming language (such as Java, C++, JavaScript, Visual Basic etc.) is write.
In block 404, the level of sensitivity of one or more API can be determined.For example, equipment is (for example, electronic equipment
104, mobile device 204 or mobile device 304) it can determine that application to be installed requires in the one or more API that can be accessed
Each API level of sensitivity.It was determined that request be installed in equipment can be with using required whole API
Harmless API is associated, and some in required API can be associated with harmless API, and a part can be with limited API phase
Association or required API in all can be associated with limited API.In some instances, it is limited (or sensitive) API
Classification may include the shared contacts list of user, the position of user, the Email of user, user cookie, and/or
Customer documentation or file stored in equipment or being accessed by equipment.
Other examples for being related to being limited (or sensitive) API category may include controlling with the entire screen to user equipment
Associated API (for example, screen mode toggle), the microphone in access equipment, the loudspeaker in access equipment, in access equipment
Camera is obtained about whether can detecte the information of face by forward direction camera in equipment or backward camera, obtain and distribute to
The IP address of equipment, the incarnation (for example, photograph or portrait of user) for obtaining user, obtains the e-mail address for obtaining user
The configuration of user's main screen in the browsing history or Web search history, acquisition equipment at family is taken (for example, about on the home screen
Have what icon and icon information where), obtain user's installed application in equipment list, obtain user
In equipment the frequency of use and usage history of installed application, obtain equipment in remaining amount of batteries, acquisition and other
The related information of WiFi beacon near the detectable Bluetooth beacon or user equipment of user equipment as user (for example, work as
Front position agency information), obtain about around equipment either with or without light information, obtain equipment temperature (for example, can indicate
The information of placement of the equipment on user's body), the orientation that obtains the mobile speed of equipment, obtain equipment, to obtain equipment current
The state for whether being used for call, the call history for obtaining equipment, the tinkle of bells for obtaining equipment and acquisition are with equipment in sky
How long (pass through the on the move at least one of of the user of the activation of display, equipment input or equipment under not busy state
It is a to measure) related information.
It should be appreciated that possibly through the application for API associated with the various sensors in equipment with license
It potentially determines personally identifiable information, especially other information related with the user of equipment is being combined to use such acquisition
Sensor information when.
In block 406, when the identified sensitivity water of at least one API in the API of one or more of requirements
When flat associated with limited API category, it is desirable that pass through website delivering answering comprising one or more API Calls using security mechanism
Code.It in some embodiments, may include security socket layer in security mechanism related with the delivering of code
(SSL) agreement.In order to use in various embodiments, it is also considered that other for delivering code securely transmit technology.
In block 408, the application that require one or more API Calls can be mounted in equipment (for example, by from trustship
The server 110 of website is downloaded).In some embodiments, mode application being mounted in equipment can be based on described one
The identified level of sensitivity of each API of the API of a or multiple requirements.For example, working as the API of one or more of requirements
In at least one API identified level of sensitivity it is associated with limited API category when, the peace that may require can be used
The code of full application of the mechanism delivering comprising one or more of API.But in some instances, complete when include in application
API required by portion be classified as low evil or it is harmless when, can deliver according to unsafe mode comprising one or more of
It is required that API application code.
Referring to Fig. 5, the instantiation procedure 500 for being used to determine whether to allow API Calls is illustrated.It should be appreciated that can combine
Operation in other processes and aspect use process 500 of the disclosure.Although being retouched about the example provided in Fig. 1 to Fig. 3 B
The aspect of process 500 is stated, but process 500 is without being limited thereto.
In block 502, equipment (for example, electronic equipment 104, mobile device 204 or mobile device 304) be can receive by institute
The first API Calls that the application of installation is made.For example, API Calls module (for example, application program or device driver) can make
The first API Calls are carried out with API, the API can specify one or more functions, data structure, agreement, format and/or reality
Now reside in the feature of the API of the module (for example, operating system or application program) in equipment.
In some examples, the application that operation installation described in process 400 carries out the first API Calls can be used.But
It is, using may be by other means (for example, being installed by flash memory driving, CD-ROM etc., or by swashing
Resident code on electronic equipment 104 living installs (such as preassembled application)) it has been installed in equipment, or do not have to
Process 400 is installed.It is any under such circumstances, equipment can handle received the made by the application installed
One API Calls.
Determine block 504 in, can by equipment determine received first API Calls level of sensitivity.For example, equipment
Licensing system it was determined that the first API Calls and remote application (cross over network 108 for example, residing on server 110
Application) shared device position.In some embodiments, the position of shared device is considered as limited API category.
In block 506, when the level of sensitivity of identified API Calls is not associated with limited API category, equipment
Licensing system can permit API Calls.Therefore, in some embodiments, the licensing system of equipment can permit any harmless
Whether API Calls, the author regardless of the application installed are confirmed as authorized author.But in other embodiments,
Even if when the level of sensitivity of identified API Calls is not associated with limited API category (for example, for requiring access one
The application of all installations of a or multiple API, it is desirable that author is authorized user), the licensing system of equipment also it was determined that
Whether the author for the application installed is confirmed as authorized author.
When received first API Calls identified level of sensitivity it is associated with limited API category when, equipment
Licensing system can determine whether the author of installed application is confirmed as authorized author (determining block 508).For example, can
By determine certificate associated with the delivering of code during the installation of application whether be trusted entities it is all or by
Trusted entities confirm to determine whether the author of installed application is confirmed as authorized author.In the various of process 500
In example and embodiment, trusted entities can be corporate entity (for example, Web search associated with server 110 provides
Person, software developer etc.) or personal user's (for example, with electronic equipment 102,103 associated users).Above with reference to Fig. 2
The concept of trusted entities and application license is described in detail.
In some embodiments, certificate associated with the delivering of code can be security socket layer (SSL) certificate.
For example, author's authorization of Xiang Yingyong can be based on having SSL certificate, and the SSL certificate is used for during the processing of installation application
Binary code is delivered to equipment.It should be appreciated that being using the advantages of SSL technology, do not find such technology according to such as
Mode with ssl protocol applies constraint to website delivery applications, and for example, can under some cases for being related to brokered transaction
To use relevant delivery mechanism.
When the author for the application installed is confirmed as authorized author, can be allowed by the licensing system of equipment
(block 506) has been identified as received first API Calls of institute associated with limited API.But when the author of application does not have
When being confirmed as authorized author, can not allow or refuse received first API Calls access its associated AP I
(block 510).
In block 512, the second API Calls made by the application installed be can receive.Therefore, when the application installed
Author when being confirmed as authorized author, can permit received second API Calls access its associated AP I (block
514).Similarly, once the licensing system of equipment determines that the author of application is authorized author, so that it may certainly by licensing system
The dynamic any subsequent API Calls for allowing to be made by the application.
Fig. 6 is the flow chart for illustrating example process 600, and the process 600 is used for through one or more by reliable
Body, the certification of the author based on application determine whether to require the application of one or more API Calls to be mounted in equipment.
It should be appreciated that the operation in other processes and aspect use process 600 of the disclosure can be combined.Although about Fig. 1 to figure
The system of 3B describes process 600, but process 600 is without being limited thereto.
In block 602, equipment (for example, electronic equipment 104, mobile device 204 or mobile device 304) can handle peace
The request for filling application, it is required that the one or more API Calls made by application to be installed.For example, the user of equipment may
Wish to start the downloading (for example, using 262a) from remote server to application.But for example, user not necessarily knows application
Author be who or author authority.
Hence, it can be determined that the creation entity (block 604) of application.For example, equipment can come from remote server by receiving
Instruction determine application creation entity.In addition, equipment can from trusted entities, (such as accredited Web search be mentioned by receiving
Donor entity 252) instruction determine application creation entity.
In block 606, equipment it was determined that creation entity whether by one or more trusted entities (such as accredited web
Search for supplier 252) certification.In some embodiments, one or more trusted entities are considered as by the users to trust of equipment.
For example, equipment may include the list of trusted entities, including but not limited to Web search supplier, ISP, research and development of software
Person, and other entities of the distribution of application can be promoted.
In some instances, determine the determination that whether is authenticated by one or more trusted entities of creation entity can based on
The code of application is carried out by creation entity to deliver the received safety certificate of associated one or more trusted entities institutes.?
In some embodiments, safety certificate is security socket layer (SSL) certificate.But, it is also considered that for providing safety certificate etc.
Deng other technologies.
In addition, according in some terms, can by the trust that one or more trusted entities provide in example authentication processing
It can be time barred.For example, determining whether creation entity may include determining by one by the certification of one or more trusted entities
Or whether multiple trusted entities are more than validity period to the certification of creation entity.In some embodiments, the validity period of certification is
1 year;But in other embodiments, 30 days certification validity periods can be used for example.
Similarly, equipment can receive trust water associated with the first trusted entities in one or more trusted entities
Flat assessment.Such as the creation entity trusted by the first trusted entities, level of trust assessment can be based on due to caused by applications
Multiple security violations.In this regard, equipment can determine, if multiple security violations (and/or the type/seriousness violated) are
Equipment (for example, correlation threshold in equipment setting) or user's (for example, when looking back dialogue screen) of equipment can not connect
It receives, just removes the first trusted entities of the trusted entities as equipment.It should be appreciated that in some embodiments, trusting water
Flat assessment is generated by neutral third party.
In block 608, when creating entity and being authenticated by least one trusted entities, can be allowed by equipment perhaps can be to wanting
Ask the installation of the application of one or more API Calls.But according to some examples, if it is determined that it is required that one or more API is exhaled
The application cried is not authenticated by any trusted entities, so that it may refuse the installation of application.
According to some aspects, transition trust techniques can be used to allow the installation in equipment to application.For example, can pass through
Equipment receives remote server with the application of creation entity in relation to the request of (for example, using 264c or using 266).Show some
In example, the request of remote server can be originated from third party (for example, the trusted entities of the equipment of not yet certification creation entity, but
It may function as go-between).But in other examples, the request of remote server can be derived directly from creation entity, and
Equipment (for example, connecting via SSL) can be sent in the way of safety.Request can identify that one or more API are exhaled
At least one transition trusted entities of the creation entity of the API and authentication application for the requirement cried or applied.
At least one transition trusted entities (for example, ISP 254) can be certification and trust application (for example, answering
The entity of entity is created with 264c), but is not identified as the trusted entities of equipment.For example, equipment not necessarily establishes
With the trusted relationship of at least one transition trusted entities because the user of equipment may not realize that special entity (presence,
Or in the case where no clear request, each application for not allowing the special entity authorization may be selected.
For example, if at least one transition trusted entities is identified as trusted entities by equipment, in certain implementations
In mode, the process of the clear request of remote server is received by unnecessary (for example, not to the request of installation the case where
Under, if ISP 254 is the trusted entities of equipment, the creation entity trusted by ISP 254 will be allowed
264c is applied in creation, as described in block 606).Therefore, if equipment knows that (for example, being ratified by user) identifies one or more
At least one transition trusted entities of the creation entity of the API and authentication application of the requirement of a API Calls or application
Clear request, then equipment will allow perhaps can install application by the transition trust techniques.
Fig. 7 conceptually illustrates the electronic system that some embodiments of subject technology are realized using it.Electronic system
700 can be server, computer, phone, PDA, tablet computer, have one or more processors be embedded or and its
The television set of connection or common any electronic equipment.Such electronic system includes various types of computer-readable Jie
The interface of matter and the computer-readable medium for various other types.Electronic system 700 includes bus 708, processing unit
712, system storage 704, read-only memory (ROM) 710, permanent storage appliance 702, input equipment interface 714, output equipment
Interface 706 and network interface 716.
Bus 708 indicates to be communicatively coupled all system bus of multiple internal units of electronic system 700, outer jointly
Enclose bus and chipset bus.For example, bus 708 communicably by processing unit 712 and ROM 710, system storage 704,
And permanent storage appliance 702 is connected.
By these various memory cells, processing unit 712 retrieves the instruction and data to be processed to be executed, with
Execute process disclosed in theme.In various embodiments, processing unit can be single processor or multi-core processor.
Static data and instruction needed for other modules of 710 storage processing unit 712 of ROM and electronic system.It is another
Aspect, permanent storage appliance 702 are read-write memory equipments.The equipment is Nonvolatile memery unit, even if electronic system
Also store instruction and data when 700 power-off.Some embodiments disclosed in theme using mass-memory unit (such as disk or
CD and its corresponding disk drive) it is used as permanent storage appliance 702.
Using removable storage device, (such as floppy disk, flash memory and its corresponding disk drive other embodiments
It is dynamic) it is used as permanent storage appliance 702.As permanent storage appliance 702, system storage 704 is read-write memory equipment.But
Be with storage equipment 702 it is different, system storage 704 is volatile read-write memory, such as random access memory.System
704 storage processor of memory needs some in instruction and data at runtime.In some embodiments, theme is disclosed
Process be stored in system storage 704, permanent storage appliance 702 or ROM710.For example, according to some of subject technology
Embodiment, various memory cells may include the finger for operation related with application license and API Access notification technique
It enables.By these various memory cells, processing unit 712 retrieves the instruction and data to be processed to be executed, to execute
The process of some embodiments.
Bus 708 is also connected to input equipment interface 714 and output equipment interface 706.Input equipment interface 714 to use
Family can the communication information and select electron system order.The input equipment packet being used together with input equipment interface 714
Include such as alphanumeric keyboard and indicating equipment (also referred to as " cursor control device ").Output equipment interface 706 is enabled for example electric
The display for the image that subsystem 700 generates.The output equipment being used together with output equipment interface 706 include for example printer and
Display apparatus, such as cathode-ray tube (CRT) or liquid crystal display (LCD).Some embodiments include doubling as input equipment
With the equipment of output equipment, such as touch screen.
As shown in fig. 7, electronic system 700 is also coupled to network (not shown) by network interface 716 by bus 708.It is logical
Such mode is crossed, computer can become a part of computer network, such as local area network (" LAN "), wide area network
The network of (" WAN ") or Intranet or network, such as internet.It can disclose in conjunction with theme using electronic system 700
Any component or all components.
Above-mentioned function can be implemented in Fundamental Digital Circuit, in computer software, firmware or hardware.The technology
One or more computer program products can be used to be implemented.Programmable processor and computer can be included in mobile device
In or be encapsulated as mobile device.Process and logic flow can be by one or more programmable processors and can by one or more
Program logic circuit executes.Universal computing device and dedicated computing equipment and storage equipment can pass through interconnection of telecommunication network.
Some embodiments include electronic building brick, and computer program instructions are such as stored in machine readable or computer can
Read microprocessor in medium, storage and memory (alternatively referred to as computer readable storage medium, machine readable media or
Machine readable storage medium).Some examples of such computer-readable medium include RAM, ROM, CD-ROM (CD-ROM),
Recordable light compact disk (CD-R), solid state drive (CD-RW), read-only digital versatile disc are (for example, DVD-ROM, DVD-dual layer-
ROM), various recordable/rewritable DVDs (for example, DVD-RAM, DVD-RW, DVD+RW etc.), flash memory are (for example, SD
Card, mini SD card, miniature SD card etc.), magnetic or solid state hard disk driving, super disc density, any other light or magnetic medium,
And floppy disk.Computer-readable medium, which can store, can be executed by least one processing unit and including for executing various operations
The computer program of instruction set.The example of computer program or computer code includes, such as, by the machine generation of compiler generation
Code, and the file including higher level code, electronic building brick or the micro process for using interpreter that are executed by computer
Device.
For example, can store the instruction for being used to execute various operations in a memory cell, and counted in one or more
Quilt in calculation machine program product (such as one or more modules of the computer program instructions encoded on a computer-readable medium)
It realizes, for executing or controlling the operation of electronic system 700 by electronic system 700, and according to those skilled in the art's public affairs
Any method known, the including but not limited to language (for example, SQL, dBase) of such as data-oriented, system language (for example, C,
Objective-C, C++, compilation), schema languages (for example, Java and .NET) and applicational language (for example, PHP, Ruby,
Perl, Python) computer language.
Instruction for executing various operations can also be implemented in the form of computer language, such as array language, face
Language, assembler language, author language, command line interface language, compiler language, concurrent language, brace language, number in terms of
According to stream language, data structure language, declarative language, secret language, extension language, fourth generation language, functional explanations, interaction
It is pattern language, interpreted language, iteration language, the language based on list, small language, the language of logic-based, machine language, macro
Language, metaprogramming language, more pattern language, numerical analysis, based on non-english language, class-based object-oriented language,
Object-oriented language, offside rule language, procedural language, reflection language, rule-based language, script based on prototype
Language, the language based on stack, synchronous language, grammer handle language, visual language, Wei Erte (wirth) language, embedded language
Speech and the language based on XML.In addition, during the execution for the instruction to be executed by processor 712, it can be by various memories
Unit is for storing temporary variable or other average informations.
Although the microprocessor or multi-core processor described above for referring mainly to execute software, some embodiments are logical
It crosses one or more integrated circuits to be performed, such as specific integrated circuit (ASIC) or field programmable gate array (FPGA).?
In some embodiments, such integrated circuit executes the instruction being stored on circuit itself.
As used in specification and claims of this application requirements, term " computer ", " server ", " processor " and
" memory " all indicates electronic equipment or other technologies equipment.These terms do not include people or crowd.For illustrative purposes,
Term " display " or " showing " indicate to show on an electronic device.As used in specification and claims of this application requirements
, term " computer-readable medium " and " computer-readable medium " are strictly limited to store according to computer-readable form and be believed
The tangible physical object of breath.These terms do not include any wireless signal, wired download signal and any other instantaneous letter
Number.
In order to provide the interaction with user, the embodiment of subject content described in this specification can be implemented in computer
On, the computer has display equipment from information to user (such as CRT (cathode-ray tube) or LCD (liquid crystal for showing
Display) monitor) and user can from its to computer provide input keyboard and indicating equipment (such as mouse or track
Ball).Other kinds of equipment can also be used to provide the interaction with user;For example, the feedback provided a user can be it is any
The perceptible feedback of form, such as visual feedback, audio feedback or touch feedback;And it can receive and come from according to any form
The input of user, including acoustics, voice or tactile input.In addition, computer can send document by the equipment used to user
And the equipment used from user receives document, interacts with user;For example, by response to from the received request of web browser,
Web browser on user client device sends webpage.
The embodiment of theme described in this specification can realize that the computing system includes aft-end assembly in computing systems
(such as data server) including middleware component (such as application server) including front end assemblies (such as client calculates
Machine), or be implemented in any combination of the rear end as one or more, middleware or front end assemblies, client calculates
Machine has graphic user interface or web browser, and user can be handed over by the embodiment of itself and theme described in this specification
Mutually.The component of system can be interconnected by any form or medium of digital data communications, such as communication network.Communication network shows
Example includes local area network (" LAN ") and wide area network (" WAN "), internet (for example, internet), peer-to-peer network (for example, equity point
To spot net).
Computing system may include client and server.Client and server is generally remote from each other, and generally passes through communication
Network interaction.The relationship of client and server on corresponding computer by running and mutually with client-server
The computer program of device relationship generates.In some embodiments, server is to client device transmission data (for example, HTML
The page) (for example, in order to show data to the user interacted with client device and receive the purpose that user inputs from user).
The data (for example, result of user's interaction) generated in client device can be received from client device at server.
It should be appreciated that any particular order or level of block are all the explanations of example approaches in the disclosed process.It should
Understand, the particular order or level of block during being rearranged based on design preference, or executes the block of all diagrams.Have
A little blocks may be performed simultaneously.For example, in some environments, multitask and parallel processing are advantageous.In addition, in above-described embodiment
In the separation of various system components be not construed as requiring such separation in all embodiments, but should be understood as leading to
Described program component and the system integration in single software product or can be often encapsulated in multiple software product.
It is noted earlier that those skilled in the art is enabled to practice various aspects described herein.Various in terms of these are repaired
Change to those skilled in the art it is clear that and the General Principle limited herein can be applied to other aspects.Cause
This, claim is not limited to aspect illustrated herein, and be to fit to the consistent full scope of language claims,
In, unless illustrating in this way, being otherwise not intended to according to singular to the reference of element means " one and only one ", but
" one or more ".Unless in addition illustrating, otherwise "some" expressions of term are one or more.Male's pronoun (such as he) include
Women and neutrality (such as his and it), vice versa.If any, title and subtitle are intended merely to convenient and make
With being not intended to limit theme and disclose.
As used herein, term website may include any aspect of website, including one or more webpages, for holding in the palm
One or more servers etc. of pipe or storage web related content.Therefore, term website can be with term webpage and server
It is used interchangeably.
Predicate verb " being configured as ", " being operable as ", " being programmed to " do not imply that any specific tangible or nothing of theme
The modification of shape, and be intended to be used interchangeably.For example, being configured as the processor of monitoring and control operation or component can also anticipate
Taste be programmed to monitor and control operation processor or be operable as be monitored and controlled operation processor.Equally, quilt
The processor for being configured to execute code may be considered that the processor for being programmed to execute code or be operable as executing code
Processor.
As used herein, a series of phrase after items (separating any one item with term "or") is " wherein
At least one " list is modified to an entirety, rather than each single item of modification list.Phrase " wherein at least one " does not require
Select at least one;On the contrary, the phrase allows to include: any group of at least one of any one of item, and/or item
In at least one of which, and/or item in conjunction it is each in at least one of meaning.As an example, phrase is " in A, B or C
At least one of which " can refer to: only A, only B or only C;Or any combination of A, B and C.
The phrase of such as " aspect ", which does not imply that, such aspect to be the theme technology institute is necessary or such aspect is suitable for
All configurations of subject technology.Disclosure related with aspect is applicable to all configurations, or one or more configurations.Such as it is square
Phrase as face can indicate one or more aspects, and vice versa.Phrase as such as " configuration " does not indicate such
It is configured to subject technology institute necessity or such configuration is suitable for all configurations of subject technology.The related disclosure with configuration
It is applicable to all configurations, or one or more configurations.One or more configurations can be referred to by such as configuring such phrase, instead
?.
Word " example " expression " as example or illustrating " is used herein.It is described herein as any aspect of " example "
Or design is all not necessarily considered as preferred or advantageous relative to other aspects or design.
Claims (14)
1. a method of computer implementation, which comprises
Receive the first Application Programming Interface API Calls made by the application installed in equipment;
Determine received first API Calls level of sensitivity;
When received first API Calls identified level of sensitivity it is associated with limited API category when, pass through determine use
During the process for installing the application by binary code be delivered to the equipment security socket layer SSL certificate whether
It is all or confirmed by trusted entities for trusted entities, to determine whether the author of installed application is authorized work
Person;And
When the author for determining installed application is authorized author, received first API Calls of institute is allowed to access
Its associated AP I.
2. according to the method described in claim 1, further comprising:
When the author of the application is not determined as authorized author, received first API Calls of refusal institute are visited
Ask its associated AP I.
3. according to the method described in claim 1, further comprising:
Receive the second API Calls made by the application installed;
When the author for determining installed application is authorized author, received second API Calls of institute is allowed to access
Its associated AP I.
4. a kind of system for authorizing using license, the system comprises:
One or more processors;And
Memory including instruction, described instruction by one or more of processors when being executed, so that one or more
A processor:
Receive the first Application Programming Interface API Calls made by the application installed;
Determine received first API Calls level of sensitivity;
When received first API Calls identified level of sensitivity it is associated with limited API category when, pass through determine use
During the process for installing the application by binary code be delivered to equipment security socket layer SSL certificate whether be by
Reliable body is all or is confirmed by trusted entities, to determine whether the author of installed application is authorized author;
And
When the author for determining installed application is authorized author, received first API Calls of institute is allowed to access
Its associated AP I.
5. system according to claim 4, wherein described instruction by one or more of processors when being executed, into one
Step is so that one or more of processors:
When the author of the application is not determined as authorized author, received first API Calls of refusal institute are visited
Ask its associated AP I.
6. system according to claim 4, wherein described instruction by one or more of processors when being executed, into one
Step is so that one or more of processors:
Receive the second API Calls made by the application installed;
When the author for determining installed application is authorized author, received second API Calls of institute is allowed to access
Its associated AP I.
7. a kind of system for authorizing using license, the system comprises:
One or more processors;And
Memory including instruction, described instruction by one or more of processors when being executed, so that one or more
A processor:
The API Calls that detection is made by application, the API Calls are for accessing data associated with equipment is calculated;
The level of sensitivity of the API Calls is determined based on the associated data;And
Based on identified level of sensitivity, the instruction of the API Calls is provided, providing the instruction includes activating the calculating
The indicator icon on hardwired indicator or the activation display screen for calculating equipment in equipment.
8. system according to claim 7, wherein described instruction when being executed by one or more of processors so that
One or more of processors determine the level of sensitivity of the API Calls based on the associated data, into one
Step so that one or more of processors determine the API Calls the level of sensitivity whether be it is high, in or it is low in
At least one.
9. system according to claim 7, wherein described instruction by one or more of processors when being executed, into one
Step is so that one or more of processors:
It detects whether to have been started up the indicator icon;And
In response to starting the indicator icon, API Access log is provided, the API Access log includes and one or more
The associated one or more API Access entries of corresponding API Calls.
10. system according to claim 7, wherein described instruction makes when being executed by one or more of processors
It obtains one or more of processors and provides the instruction of the API Calls based on identified level of sensitivity, further such that
One or more of processors provide entry to API Access log.
11. a kind of non-transitory machine readable media, including storage instruction therein, described instruction when executed by a machine, make
The machine performing operations are obtained, the machine readable media includes:
For detecting the instruction for the API Calls made by application, the API Calls are for accessing number associated with equipment is calculated
According to;
For determining the instruction of the level of sensitivity of the API Calls based on the associated data;And
For providing the instruction of the instruction of the API Calls based on identified level of sensitivity, providing described instruction includes swashing
Indicator icon on the hardwired indicator calculated in equipment living or the activation display screen for calculating equipment.
12. non-transitory machine readable media according to claim 11, wherein for being based on the associated data
The instruction for determining the level of sensitivity of the API Calls includes the level of sensitivity for determining the API Calls
Whether be it is high, in or at least one of low instruction.
13. non-transitory machine readable media according to claim 11, further comprises:
For detecting whether having been started up the instruction of the indicator icon;And
In response to starting the indicator icon, for providing the instruction of API Access log, the API Access log include with
One or more associated one or more API Access entries of corresponding API Calls.
14. non-transitory machine readable media according to claim 11, wherein for based on identified sensitivity water
Flat, the instruction for providing the instruction of the API Calls includes for providing the instruction of entry to API Access log.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/145,644 | 2013-12-31 | ||
US14/145,644 US9256755B2 (en) | 2013-12-31 | 2013-12-31 | Notification of application permissions |
PCT/US2014/072274 WO2015103058A1 (en) | 2013-12-31 | 2014-12-23 | Notification of application permissions |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105874462A CN105874462A (en) | 2016-08-17 |
CN105874462B true CN105874462B (en) | 2019-06-14 |
Family
ID=53482122
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201480071883.3A Active CN105874462B (en) | 2013-12-31 | 2014-12-23 | Using the notice of license |
Country Status (6)
Country | Link |
---|---|
US (2) | US9256755B2 (en) |
EP (2) | EP3090374B1 (en) |
CN (1) | CN105874462B (en) |
AU (1) | AU2014374041B2 (en) |
CA (1) | CA2931640C (en) |
WO (1) | WO2015103058A1 (en) |
Families Citing this family (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9225715B2 (en) * | 2013-11-14 | 2015-12-29 | Globalfoundries U.S. 2 Llc | Securely associating an application with a well-known entity |
US9112834B1 (en) * | 2014-01-02 | 2015-08-18 | Juniper Networks, Inc. | Protecting sensitive web transactions using a communication channel associated with a user |
US9473883B2 (en) | 2014-05-31 | 2016-10-18 | Apple Inc. | Location service authorization and indication |
US20160275000A1 (en) * | 2015-03-17 | 2016-09-22 | Wegilant Net Solutions Pvt. Ltd. | System and method of automated application screen flow generation for detecting aberration in mobile application |
US9591443B2 (en) * | 2015-06-01 | 2017-03-07 | Apple Inc. | Location service management |
US9591000B2 (en) * | 2015-06-19 | 2017-03-07 | Oracle International Corporation | Methods, systems, and computer readable media for authorization frameworks for web-based applications |
JP6493086B2 (en) * | 2015-08-24 | 2019-04-03 | 富士通コネクテッドテクノロジーズ株式会社 | Information processing apparatus and information processing program |
US20180260864A1 (en) * | 2017-03-07 | 2018-09-13 | Facebook, Inc. | Merchant-facing Queue Interface |
US11637844B2 (en) * | 2017-09-28 | 2023-04-25 | Oracle International Corporation | Cloud-based threat detection |
US11379565B2 (en) * | 2017-10-02 | 2022-07-05 | Microsoft Technology Licensing, Llc | Identifying and consenting to permissions for workflow and code execution |
KR102477043B1 (en) | 2017-11-08 | 2022-12-14 | 삼성전자주식회사 | Electronic device and control method thereof |
US20190394239A1 (en) * | 2018-06-20 | 2019-12-26 | GM Global Technology Operations LLC | Application based policy management used with a client and a service provider |
US11171929B2 (en) * | 2018-12-17 | 2021-11-09 | International Business Machines Corporation | Applying differential security to API message payload data elements |
US20220129542A1 (en) * | 2019-03-05 | 2022-04-28 | Intel Corporation | Deterministic trusted execution container through managed runtime language metadata |
US11190512B2 (en) | 2019-04-17 | 2021-11-30 | Microsoft Technology Licensing, Llc | Integrity attestation of attestation component |
US11392467B2 (en) | 2019-04-17 | 2022-07-19 | Microsoft Technology Licensing, Llc | Failover between decentralized identity stores |
US11429743B2 (en) | 2019-04-29 | 2022-08-30 | Microsoft Technology Licensing, Llc | Localization of DID-related claims and data |
US11381567B2 (en) | 2019-04-29 | 2022-07-05 | Microsoft Technology Licensing, Llc | Execution of an application within a scope of user-granted permission |
US11411959B2 (en) * | 2019-05-03 | 2022-08-09 | Microsoft Technology Licensing, Llc | Execution of application in a container within a scope of user-granted permission |
US11222137B2 (en) | 2019-05-03 | 2022-01-11 | Microsoft Technology Licensing, Llc | Storing and executing an application in a user's personal storage with user granted permission |
US20210304143A1 (en) * | 2020-03-31 | 2021-09-30 | Atlassian Pty Ltd. | Data classification in application programming interfaces at attribute level |
US11755776B2 (en) * | 2020-11-20 | 2023-09-12 | Paypal, Inc. | Detecting leakage of personal information in computing code configurations |
JP2022120689A (en) * | 2021-02-05 | 2022-08-18 | トヨタ自動車株式会社 | On-vehicle information processing device, information processing method, and program |
WO2022266549A1 (en) * | 2021-06-18 | 2022-12-22 | ALTR Solutions, Inc. | Security driver external functions |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE20217854U1 (en) * | 2002-10-07 | 2003-02-06 | Benkhardt Axel | Signaling device, data processing device, detection means and associated system |
CN102906755A (en) * | 2009-12-17 | 2013-01-30 | 桑迪士克科技股份有限公司 | Content control method using certificate revocation lists |
Family Cites Families (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB0212314D0 (en) | 2002-05-28 | 2002-07-10 | Symbian Ltd | Secure mobile wireless device |
GB0322876D0 (en) | 2003-09-30 | 2003-10-29 | British Telecomm | Method and system for authenticating a user |
US8156488B2 (en) | 2004-10-20 | 2012-04-10 | Nokia Corporation | Terminal, method and computer program product for validating a software application |
US7797545B2 (en) * | 2005-09-29 | 2010-09-14 | Research In Motion Limited | System and method for registering entities for code signing services |
US7730539B2 (en) * | 2005-10-21 | 2010-06-01 | Microsoft Corporation | Authenticating third party products via a secure extensibility model |
US8321949B1 (en) | 2008-08-29 | 2012-11-27 | Adobe Systems Incorporated | Managing software run in a computing system |
US9367680B2 (en) | 2008-10-21 | 2016-06-14 | Lookout, Inc. | System and method for mobile communication device application advisement |
US20100242097A1 (en) | 2009-03-20 | 2010-09-23 | Wavemarket, Inc. | System and method for managing application program access to a protected resource residing on a mobile device |
US8788809B2 (en) * | 2009-04-27 | 2014-07-22 | Qualcomm Incorporated | Method and apparatus to create a secure web-browsing environment with privilege signing |
US20120222083A1 (en) * | 2011-02-28 | 2012-08-30 | Nokia Corporation | Method and apparatus for enforcing data privacy |
WO2013032422A1 (en) * | 2011-08-26 | 2013-03-07 | Hewlett-Packard Development Company, L.P. | Data leak prevention systems and methods |
US9009856B2 (en) | 2011-12-16 | 2015-04-14 | Dell Products L.P. | Protected application programming interfaces |
US8844036B2 (en) | 2012-03-02 | 2014-09-23 | Sri International | Method and system for application-based policy monitoring and enforcement on a mobile device |
US9317689B2 (en) | 2012-06-15 | 2016-04-19 | Visa International Service Association | Method and apparatus for secure application execution |
CN103514000B (en) * | 2012-06-26 | 2015-09-16 | 腾讯科技(深圳)有限公司 | Browser plug-in installation method and device |
GB2507596B (en) | 2012-10-30 | 2014-09-17 | Barclays Bank Plc | Secure computing device and method |
US9202057B2 (en) | 2013-08-30 | 2015-12-01 | Symantec Corporation | Systems and methods for identifying private keys that have been compromised |
US9280679B2 (en) | 2013-12-31 | 2016-03-08 | Google Inc. | Tiered application permissions |
-
2013
- 2013-12-31 US US14/145,644 patent/US9256755B2/en active Active
-
2014
- 2014-12-23 AU AU2014374041A patent/AU2014374041B2/en active Active
- 2014-12-23 CA CA2931640A patent/CA2931640C/en active Active
- 2014-12-23 EP EP14877362.5A patent/EP3090374B1/en active Active
- 2014-12-23 EP EP18183379.9A patent/EP3404571A1/en not_active Withdrawn
- 2014-12-23 WO PCT/US2014/072274 patent/WO2015103058A1/en active Application Filing
- 2014-12-23 CN CN201480071883.3A patent/CN105874462B/en active Active
-
2015
- 2015-12-31 US US14/986,343 patent/US9990508B1/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE20217854U1 (en) * | 2002-10-07 | 2003-02-06 | Benkhardt Axel | Signaling device, data processing device, detection means and associated system |
CN102906755A (en) * | 2009-12-17 | 2013-01-30 | 桑迪士克科技股份有限公司 | Content control method using certificate revocation lists |
Non-Patent Citations (5)
Title |
---|
Geocoding A User"s Location Using Javascript"s GeoLocation API;Ben Nadel;<URL:https://web.archive.org/web/20130610180921/https://www.bennadel.com/blog/2023-geocoding-a-user-s-location-using-javascript-s-geolocation-api.htm>;20101001;全文 |
On Lightweight Mobile Phone Application Certification;William Enck,et al;<http://web.archive.org/web/20111027083518/http://www.enck.org/pubs/ccs09-enck/pdf>;20111027;全文 |
Taking the Mystery Out of Sensing Devices in the Home;Jaeyeon Jung, et al;<Intel Labs Seattle, University of Washington>;20100518;第4页第2栏第11-46行 |
The Effectiveness of Application Permissions;Adrienne Porter Felt,et al;《http://web.archive.org/web/*http://www.cs.berkeley.edu/~daw/papers/perms-wabapps11/pdf》;20110514;全文 |
What You See is What They Get Protecting users from unwanted use of microphones, cameras, and other sensors;Jon Howell,et al;《URL:http://web.archive.org/web/20100613162614/http://w2spconf.com/2010/papers/p05.pdf》;20100613;全文 |
Also Published As
Publication number | Publication date |
---|---|
EP3090374A4 (en) | 2017-07-26 |
AU2014374041A1 (en) | 2016-06-09 |
US20150186664A1 (en) | 2015-07-02 |
WO2015103058A1 (en) | 2015-07-09 |
AU2014374041B2 (en) | 2017-03-30 |
CA2931640C (en) | 2019-09-17 |
EP3090374B1 (en) | 2018-08-22 |
US9256755B2 (en) | 2016-02-09 |
CN105874462A (en) | 2016-08-17 |
EP3404571A1 (en) | 2018-11-21 |
EP3090374A1 (en) | 2016-11-09 |
CA2931640A1 (en) | 2015-07-09 |
US9990508B1 (en) | 2018-06-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105874462B (en) | Using the notice of license | |
US10019592B2 (en) | Tiered application permissions | |
US10257199B2 (en) | Online privacy management system with enhanced automatic information detection | |
KR101951973B1 (en) | Resource access authorization | |
Slupska et al. | Threat modeling intimate partner violence: Tech abuse as a cybersecurity challenge in the internet of things | |
JP2005317022A (en) | Account creation via mobile device | |
CN114143097A (en) | Delegated authorization method and system for isolated collections | |
CN109952752B (en) | System and method for conditional authorization for isolated collections | |
CN107533618A (en) | Protect data from unwarranted access | |
US9235693B2 (en) | System and methods thereof for tracking and preventing execution of restricted applications | |
US20200387629A1 (en) | Method and system for providing user notification when personal information is used in voice control device | |
US20230084001A1 (en) | Video playing method, apparatus and device in map, computer-readable storage medium and computer program product | |
CN112235303A (en) | Account logout method and device and computer equipment | |
US9838871B2 (en) | Social access control system | |
WO2016140929A1 (en) | Disposition actions in digital asset management based on trigger events | |
Valero et al. | Analysis of security and data control in smart personal assistants from the user’s perspective | |
CA2906517A1 (en) | Online privacy management | |
CN111598544B (en) | Method and device for processing information | |
KR102413355B1 (en) | Method of providing security service to devices and server performing the same | |
Butow et al. | Communicating About Security | |
Valero Amores et al. | Analysis of security and data control in smart personal assistants from the user’s perspective | |
IE20190191A1 (en) | Digital user consent preferences and control | |
CN113495754A (en) | System and method for detecting website content theft |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: American California Applicant after: Google limited liability company Address before: American California Applicant before: Google Inc. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |